St Jude sues short-selling MedSec over pacemaker 'hack' report

Defibrillator security saga will go to court

Medical device maker St Jude has filed suit against a security startup that shorted its stock and publicized alleged flaws in its products for profit.

Pacemaker supplier St Jude has sued both MedSec and investment research biz Muddy Waters in Minnesota, America, as well as three other individuals it says falsely reported serious vulnerabilities in its pacemakers and defibrillators.

"We felt this lawsuit was the best course of action to make sure those looking to profit by trying to frighten patients and caregivers, and by circumventing appropriate and established channels for raising cybersecurity concerns, do not use this avenue to do so again,” St Jude president and CEO Michael Rousseau said in announcing the suit.

"We believe this lawsuit is critical to the entire medical device ecosystem – from our patients who have our life saving devices, to the physicians and caregivers who care for them, to the responsible security researchers who help improve security, to the long-term St Jude Medical investors who incurred losses due to false accusations as part of a wrongful profit-making scheme."

Muddy Waters and MedSec made headlines in August when they claimed to have discovered security vulnerabilities in St Jude's pacemaker and defibrillators that could be exploited by hackers to put patients' lives at risk.

Rather than disclose the flaws to the manufacturer, the MedSec team instead went to investment house Muddy Waters and turned a tidy profit by short-selling St Jude's stock after its price dropped when they published their damning claims.

"Our top priority is to reassure patients, caregivers and physicians who use our life-saving devices that we are committed to the security of our products, and to ensure patients and their doctors maintain ongoing access to the proven clinical benefits of remote monitoring," said St Jude vice president and chief medical officer Mark Carlson.

"We decided to take this action because of the irresponsible manner in which these groups have acted."

Experts at the University of Michigan also poured doubt on one claim by MedSec that St Jude's equipment is remotely brickable. ®